Mozilla Blocks Vulnerable Java Versions In Firefox

Trailrunner7 writes with this excerpt from Threatpost: "Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks. 'This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,' Mozilla's Kev Needham said."

Java dying?

[Compaqt]

So sad what has become of Java.

I know a large part of Slashdot hates Java, but:

-Java passed C/C++ on Sourceforge a while back
-Java was the first language of a lot of people because a lot of colleges adopted it
-Java was the first real and powerful language for a lot of people
-Java held out the promise of developing programs not beholden to M$, thereby making a lot of platforms viable
-Java was supposed to make things easier for the small developer (ISV) by allowing write-once, run anywhere.

So that's why a lot of people have good feelings for Java. Unfortunately, it's dying of a thousand cuts.

Re:Java dying?

[jellomizer]

I think Java is just maturing not dying.

Java found it niche. JavaEE is still big, as it is a great platform for Web Services. However Java Applications have never gotten popular because they always end up looking a bit out of date (although it has greatly improved) compared to what the other platforms offer.

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

Re:Java dying?

[afidel]

Maybe java applications never got popular with end users but they're pretty much the standard for advanced GUI management interfaces on enterprise equipment. I hope for the sake of people who need older java versions to access the management interface on their switches, storage arrays, etc that there is an advanced preference to turn this feature off (if not globally then on a per-domain basis).

Re:

[oh_my_080980980]

And that (the enterprise) my dear sir, is where the money is at.

OT - your sig

[mcgrew]

Credit goes to Robert Heinlein. I forgot which short story it was from.

Re:

[CubicleZombie]

However Java Applications have never gotten popular because they always end up looking a bit out of date

The Windows look-and-feel should have been enabled by default. Then Java wouldn't look like a 15 year old version of Solaris.

Re:

[Anonymous Brave Guy]

As far as look and feel goes, it's a fallacy that all you have to do to make a GUI feel native is change the chrome. You can't turn a Windows native application into an OS X native application just by altering how you draw a button and a checkbox. No GUI toolkit that is based on the assumption that you can will ever be any good for making professional level user interfaces on any platform (or at least, on any more than one platform that it secretly favours).

Re:

[Windwraith]

"Slashdot hates Java because they hate anything that isn't Pure GNU open source."
So how do you explain the massive influx of Apple lovers?

Re:

[Bill_the_Engineer]

So how do you explain the massive influx of Apple lovers?

Because being fond of Apple products and being fond of GNU open source isn't absolutely mutually exclusive.

Re:

[gstoddart]

Because being fond of Apple products and being fond of GNU open source isn't absolutely mutually exclusive.

With all of the hate directed at Apple, I actually have a hard time believing that.

Re:

[Bill_the_Engineer]

With all of the hate directed at Apple, I actually have a hard time believing that.

How does hate being directed at Apple apply?

If we are talking about a group of people who like Apple stuff then why would someone's, who is outside of that group, opinion of Apple affect the Apple group's affinity towards GNU open source?

Re:Java dying?

[TheRaven64]

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver. It promised to be portable, but running it on anything that isn't one of under half a dozen blessed platforms is painful. That new MIPS server? Sorry, no Java for you! For a long time, even Java on *BSD on x86 was painful due to onerous licensing requirements (binaries weren't redistributable, so you needed to download the source - manually so you could agree to the license agreement - download the Linux version, use the Linux version to compile the BSD version).

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on. If I have a Java library, it's difficult to use it from anything that's not Java. Conversely, it's difficult to use existing libraries from Java - JNI is a whole world of pain. This means that Java often involves reinventing the wheel, while other languages just provide thin (and often automatically generated) wrappers around libraries written in other languages where appropriate.

Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

Re:Java dying?

[TheRaven64]

Oh, and I forgot to mention the UI problem. Java UIs look and feel wrong on every platform, although they look and feel least wrong on Windows. Java promoted the idea that you should use the same UI on every platform (ignoring the fact that different user interface guidelines are one of the main differences between platforms, from a user's perspective). They intentionally made it difficult to use the target platform's user interface APIs with Java code (although Apple fixed that on OS X in 10.0, before deprecating it around 10.4) to push the idea that you'd run the same code everywhere. Good cross-platform GUI apps are MVC, using native views and slightly different controllers on each platform, but the same model code. Doing this in Java is much harder than it should be.

Re:

[Compaqt]

>Some rookie mistakes, like making String final.

Well, the way the father of Java (Gosling) explained it, I think he said something like if you could subclass String, then you could send a MyString to a someplace that expected a String, and possibly hack into something rather (password, etc.).

Re:

[Bill_the_Engineer]

I'm just going to respond to a few of your points:

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver.

There are plenty of other languages that promises much and deliver few. I think a lot of language preference depends on what you learned first and who you choose to associate with. I know plenty of Perl programmers who swear Perl is the one true language, and the same with C++, Python, Ruby, etc. Each language has its strength and weaknesses, but no

Re:

[TheRaven64]

It benefits greatly from its static typing system

No it doesn't. That was one of the things that the StrongTalk team learned when Java was in its infancy. Type feedback (in class-based languages) provides more accurate information than user type annotations. A modern JVM doesn't even use the source-language annotations, it infers the types based on profiling.

{lots of stuff about how Perl is even worse}

Not really relevant. Yes, there are worse languages than Java. There aren't, however, any languages worse than Java that are anything like as successful as Java.

And this [design pattern fetishism] is unique to Java?

Not unique, perhaps, but Java does

Re:

[olau]

And this is unique to Java?

No, different languages have different kinds of brainwash. But that doesn't detract from the point that the community programming in Java is suffering from it. And managed to get the non-sense carried over to the C# community. Too Much Inheritance, Too Many Concepts. :)

With C++, there's a similar problem that everyone is focusing so much on performance and painstakingly-specified static types that the language as a whole is missing out on some big opportunities. Most of the things that really save me time i

Re:

[dkf]

More accurately, everyone is focussing too much on microbenchmark performance. C++ is a language designed for an inlining-happy compiler with lots of compile-time specialisation. This results in very large code, which means that you end up with a lot of instruction cache churn. That's a total performance killer on modern hardware for large programs, but new features of C++ (with the possible exception of lambdas) are designed to make it even worse.

It doesn't help that C++'s standard library features aren't really all that strong either. Only C is really weaker, but that's a language with a tiny standard library anyway; building your own better version out of the C primitives is quite acceptable. C++ aspires to be better... and fluffs it. Don't believe me? Compare the string handling of C++ with that of Java or C# or Perl or Tcl or ... Well, let's say it like this: C++ gives you the pain of the complexity without nearly enough of the gain of well-impl

Re:

[olau]

And then there's the library system. Some rookie mistakes, like making String final.

I disagree. The best thing Gosling could have done to Java were making all classes final. It's certainly better than the other way around. Inheritance is in many cases one of the fastest ways of turning an otherwise sensible design into OOP spaghetti.

Re:

[Anomalyst]

I think Java is just maturing not dying.

Two words:Menopause & Osteoporosis.

Re:Java dying?

[Anonymous Coward]

More like Slashdot hates Java because they flunked their intro CompSci course at the community college and now "develop" by tweaking PHP blogging software.

Re:Java dying?

[shutdown -p now]

So Microsoft invented a new language to "be LIKE Java" but not Java.

This was relevant 10 years ago when C# first appeared. Since then, it has evolved at a pace much faster than Java, and has many more useful features. Case in point: C# has had full-featured closures for 7 years now; Java is only getting them in the upcoming release.

Re:Java dying?

[SplashMyBandit]

The feature that C# doesn't have is 'cross-platform'. This is not a language flaw, it is a library and design flaw - targeting Windows. Mono does not implement the same libraries as the Microsoft .NET stack, and it turn out it never will. Unless you are a Windows only shop (which only households and smaller companies are) then the .NET stack has a lot of wonderful features but will always be technically inferior to Java because of the lack of true cross-platform capabilities. The fact that C# has some nice syntactic sugar is great, but still misses the point that you want your language *everywhere* you need to be. Java adopts features slowly not because the maintainers don't know about closures etc, it is because the language maintainers are trying to avoid Java turning into C++, which is harmful for enterprise adoption (with some lesser skilled programmers). This is one reason Java gets about 3 times the adoption world-wide as C#, despite the C# language niceties (see Tiobe for numbers). I can't see that changing for a long time no matter how many funky features C# gets first.

Re:

[ruinevil]

Mainly... its often slower C/C++, so the simple presence of the Java icon makes both programmers and users exasperated and annoyed.

Secondly, people hate it the same reason colleges love it, it forces sane programming techniques, like Pascal did.

Thirdly, it is abstracted away from machine code, so you cannot understand what your algorithms do in assembly.

Yeah, if you run only one Java program

[tepples]

its often slower C/C++, so the simple presence of the Java icon makes both programmers and users exasperated and annoyed.

After recent improvements in the VM, the only time it's noticeably slower than C++ is if the VM has to be started for the first time. If you run more than one program written in Java, it's less noticeable.

Thirdly, it is abstracted away from machine code

So is C++. In fact, some critics [yosefk.com] believe that wading through a rat's nest of C++ templates is so abstracted that it's harder to know what's going on in a program than it would be in Java.

Re:

[Myopic]

The presence of a Java icon doesn't make programmers exasperated, it makes us thankful to have a tool which manages memory for us. Memory management is hard, and this tool makes it easier. All programming languages are tools, tools which do some things better than others, and memory management is one of the most important features of a programming language as a tool.

Re:

[Korin43]

I think being abstracted away from the operating system is more important than assembly output or execution speed differences. I suspect a lot of Java programs feel slow because they're not using the power of their OS as well (virtual memory and various kinds of notifications, plus the fact that NIO isn't promoted very heavily).

Re:

[__aaltlg1547]

More to the point, being abstracted from the machine-code level is the point of writing in a higher-level programming language.

Imagine the horror of writing a simple dialog box to enter a string in machine code. Maybe one in a ten million programmers has ever actually done that.

You should only even consider opening up the assembler manual if you are about to do something that's machine-specific and not supported by whatever higher-level language you're using for the bulk of your project.

Perhaps ruinevil wa

Re:

[Compaqt]

Well, I can't speak to the crazy-insane complicated machine code of today's procs, but I think compsci students should at least have a basic intro (like 1 or 2 days) to assembly/machine language, like maybe in an 8086 emulator on Linux.

Just make it do something, like access the MS-DOS subroutines (in FreeDOS).

The point is just to have some sort of grounding in what actually happens in a computer.

Re:

[mcgrew]

IMO if you don't know assemply (on at least one chip) you're not much of a programmer, because you really don't know what your code is doing.

You do realise that the CPU designers know machine code, right? And assembly was closer to human language that any of the high level languages. MOV A, B. Simple, elegant, easily understandable. If you know assembly, learning any other language is pretty easy.

Re:

[Sperbels]

If you know assembly, learning any other language is pretty easy

Knowing any programming language makes learning another easier. And I would have to say that knowing a high level language makes learning another high level language easier, but knowing assembly language is less useful in this regard because it's so radically different.

Re:

[__aaltlg1547]

The X86 instruction code is the lowest level that's accessible. You can only cause actions to happen at the core level by executing machine instructions.

Re:Java dying?

[Necroman]

Java's server-side is still very strong and won't be going anywhere anytime soon.

Java as a language for UIs, not so much. The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward. Plus it always felt just enough different from native applications to stop developers from using it.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

Re:

[CubicleZombie]

The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward.

Hasn't evolved, compared to what? Its big competitor for the rich-client is .NET, which is basically just a wrapper over same old Win32 controls we were using with MFC in the 90's. I can do anything with Swing.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

The worst thing to ever happen to Java was Netscape 3.x and the Hotspot VM. Everybody remembers the "Starting Java..." message on the task bar - for several minutes - and then the inevitable browser crash. That sealed Java's fate on the client.

Re:

[eternaldoctorwho]

According to the language rankings by TIOBE [tiobe.com], Java is still very much in the lead, with only C as a "competitor" (although I think the practical usages of both languages are disjoint enough to not worry about competition). Everything else is training behind by a fair margin.

Re:

[__aaltlg1547]

But they base their rankings on web searches, which is pitiably lame. The fact that a language showed up in a web search is subject to variation based on press releases and manipulation.

If you want high-quality information, survey professional and amateur programmers and ask them what languages they have used in the last month.

Re:

[lwriemen]

How about this post? http://radar.oreilly.com/2012/03/computer-book-market-2011-part1.html?google_editors_picks=true [oreilly.com]

From the article:

A nice steady pattern for Java now. Growth in each of the previous three years. It is the 12th largest category overall and reached that same rank in 2011.

It seems like programmers are still buying Java books, so interest must be there.

Re:Java dying?

[The MAZZTer]

Minecraft runs on Java, so it'll stick around for a bit longer whether we like it or not.

Re:

[antdude]

Why was Minecraft designed for Java anyways? I find that annoying. I can't get rid of Java just yet. Can't it use something else? OK, Flash sucks... Silverlight, ugh. :(

Re:

[VGPowerlord]

Why was Minecraft designed for Java anyways?

As Maslow once said:

I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.

Replace "hammer" with "Java JDK" and "nail" with "Java Program."

Re:Java dying?

[rudy_wayne]

-Java held out the promise of developing programs not beholden to M$

So now you can make programs that are beholden to Oracle, who are just as bad, or worse.

Re:

[Myopic]

Java definitely isn't dying. I thought it was over the hump about five years ago, and started using other languages. Since then, Android dev has exploded, and now I spend my time using Cassandra database (Java) and Storm topology runner (Java).

In the past we used Java to make web pages a little more interesting. Today, web pages can do enough with HTML and JavaScript, so we don't need Java applets anymore -- and good riddance, at that. But that hardly means Java is dying. It isn't. Not at all.

Re:

[Hentes]

Many people like Java and it's not going anywhere in the foreseeable future. But Java applets are a different story, they will die a well-deserved death.

Re:

[CosaNostra Pizza Inc]

Java is alive and well in enterprise server environments and mobile devices. Any tablet or smartphone that runs Android is using java for the majority of its apps. Also, as some other posters pointed out, Java is continually maturing.

Re:

[tlhIngan]

Java's pretty big in the consumer market - every blu-ray player uses it, most cellphones (vast majority) have a JVM, and Android uses it as a development language (though the bytecode used by Android isn't Java bytecode).

It's become the embedded language - used everywhere but few people noticing.

Mozilla gives middle finger to enterprise again

[jellomizer]

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems.

So now we have to be sure that we upgrade our Java first then Firefox... However we had planned to do Fire Fox this week and Java next month, after you know we test our applications that we need to run our business with the new Java version.

The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Re:Mozilla gives middle finger to enterprise again

[i kan reed]

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Re:

[jellomizer]

A lot of enterprises would love to give Firefox or Chrome as their standard browser. Much better use of the standards and faster and predictable running of modern stuff. So if you want to move away from your Legacy Java Applets to a new System Mozilla is a good choice for an enterprise technically to standardize on. However the Mozilla foundations are being a bunch of Elitists Richards, and seemed hell bent to make sure that Mozilla isn't incorporated in an Enterprise environment. And Enterprises need t

Re:

[__aaltlg1547]

I do. They pay my salary and your unemployment check.

Re:

[kwrzesien]

So there is EXACTLY ONE version of Java that is usable: 7u3. There is NO PATCHED version of jre6 or jdk6 that is available for our 80,000+ workstations managed by Tivoli that have jre6 installed. Upgrading to 7 requires going through Field Certification of months of application compatibility checking.

Not to mention the servers that have jdk6 installed to a specific path, jdk7 would go in a different path and require changes to configuration files and regression testing. This is a 2-3 month process usua

Re:

[__aaltlg1547]

I think anything that forces my enterprise to update its clay tablets is a good thing. But this is not that thing. IT will just say, "You could just use Internet Explorer." And they'd be right. Who has the time to go on a project of updating enterprise apps every time a browser changes?

I use Internet Explorer exclusively now (when at work) because the current version works adequately with everything else I use. Firefox used to, but then they updated it and it didn't work right with some of our enterpri

Re:

[Wrath0fb0b]

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Unless I have (an) admin machine(s) configured to access only intranet resources for the purpose of managing my legacy java applets. In that case, it would probably be nice to have an switch somewhere in about:config (maybe with a warning) to disable the blacklist. That's the problem with thinking about security without clearly identifying the context in which the policy is being deployed. For a home user Mozilla should absolutely default to not allowing outdated JREs*, for those within other environments,

How about a huge blinky warning instead?

[khasim]

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity."
vs
"Fuck, it broke!"

Re:

[leuk_he]

THe java updater should have done that. Why didn't it? It flashes so often it's annoying. maybe it is not doing its job?

Re:

[ArhcAngel]

Ever heard the story of the boy who cried wolf?
Yeah, he got eaten...

Re:

[PlusFiveTroll]

I do believe somewhere around Java 6r16 they started removing the previous version when you ran the update, that said it doesn't remove any older secondary copies that were still around, but for most people your complaint has been addressed.

On the second part, why can't the distros deal with this themselves, since they do have the source they can have this check behave how ever they want... that said, I DO NOT WANT your broken distribution spreading AIDS on the internet. Enterprises, power users, and the un

Re:

[afidel]

Better would be to add whitelist support, like say a trusted zone? Yeah, it's one thing I love about IE, I can lock down the default configuration and allow all sorts of known bad configuration changes to the trusted sites zone to allow for legacy compatibility. It's exactly why IE's marketshare in the enterprise isn't going away.

Re:

[khasim]

Something like NoScript but with more granularity and that can be pushed to each workstation?

Sounds good. And 100% better than the course Mozilla did choose.

Re:

[Windwraith]

Do you realize that a warning is for average users to ignore? "Oh, wow. I should upgrade as soon as I get the opportunity" only works for people like us. Most people will do "CANCEL CANCEL CANCEL".

Re:

[mcgrew]

It isn't the users, it's their OS. I almost never boot the Linux box; I don't have to. When an update comes up the pike I update, one click and keep working. No problem.

The notebook still has Win7. Almost every update for any program requires a reboot, and damn it, There's a book I'm working on open, with Firefox tabs to other stuff (labeling sampled music, etc). So I almost always hit "not now"... because I don't want to spend twenty minutes updating something that just got updated a few weeks ago, includi

Re:

[nashv]

This is a philosophical decision. Any setting that compromises security should be OPT-IN by design, not the default.

IT Professionals of minimal competency will read complete release notes before rolling out a new version of any software. So if you have a "Fuck it Broke" situation, blame it on your IT guys.

Re:

[mspohr]

As others have pointed out and as the website points out, it does give you a "huge blinky warning" and it doesn't automatically disable it so please, calm down, sit down, take a few slow deep breaths and go away.

Re:

[jorgevillalobos]

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity." vs "Fuck, it broke!"

That is almost exactly what we did. You get a warning with the option to ignore it and continuing like nothing happened.

Re:Mozilla gives middle finger to enterprise again

[Anonymous Coward]

From the article:

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

The block isn't compulsory. Undo the block and keep working in the mean time.

Re:Mozilla gives middle finger to enterprise again

[nashv]

And you would deserve it. If you maintain an insecure system, you are a threat not just to yourself, but to the entire internet.

You foster malicious code that can be used to pit your system against others. Everyone is connected on the Internet, and if you chose to be a weak link, you are everyone's problem.

I am usually sympathetic to upgrade issues, but if you are going to be in the wild of the internet, fix your software. You are on an internal closed network, no one is forcing you to upgrade Firefox. Maintain your legacy setup.

Think about that for a bit.

[khasim]

Which is easier for the average corporation?

a. Fixing the crap code that they've accumulated over the years?

b. Sticking with IE because it allows them to run the crap code from a?

Mozilla may have chosen the moral course in this but they won't achieve anything except to further marginalize themselves in corporations.

Fixing code costs money. Sticking with IE is free.

Re:

[sg_oneill]

If the IT department in your enterprise is forcing you to use insecure software, make an apointment with the head of IT, punch him in the head, and fuck his wife. Its a win-win scenario.

Re:

[jellomizer]

There is a place for that type of action. It is called Jail.
For the most part these insecure systems are designed to be ran on the companies intranet. Where your attempt to hack into the system you will only be able to obtain information you can get much easier other ways So on the list of IT priorities, the security of that legacy application made/Updated in the mid 1990's is rather low compared to other issues.

Re:

[mounthood]

Fixing code costs money. Sticking with IE is free.

Not fixing anything is cheaper then fixing it (in terms of immediate cash expense). Doesn't mean sticking with IE is the right decision, or a reasonable decision, or even that someone made a decision instead of ignoring the problem.

What should Mozilla do? Clearly they should focus on security. What should your "average corporation" do? Also care about security! But if they aren't going to and they want their software to stay static and unchanging, there are any number of solutions including: Go to "about:co

I don't like the all or nothing approach.

[khasim]

Not fixing anything is cheaper then fixing it (in terms of immediate cash expense).

Yep. That's the core problem with computer security. It is always cheaper to not do anything (right up until you lose critical data to a cracker) as long as it runs "good enough".

Doesn't mean sticking with IE is the right decision, or a reasonable decision, or even that someone made a decision instead of ignoring the problem.

Even the decision to ignore the problem is a decision. Again, as long as it runs "good enough" there w

Re:

[jorgevillalobos]

It's not an all or nothing deal. You are free to ignore the block and continue using the vulnerable versions of the plugin.

Re:Mozilla gives middle finger to enterprise again

[Kagato]

Enterprise customers don't just roll out browsers. They do testing, they tweak the configuration and then they roll it out. Having to take the extra step to configuring some settings doesn't sound like a deal breaker. If anything, it sounds like a feature enterprise could really use. If your organization is whining about this, they likely aren't following due diligence in testing the browsers in the first place.

Re:

[mounthood]

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems. ... The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Large/Enterprise organizations value version stability more than security? That's poor judgment. What does "maintained and managed properly" mean if it doesn't include security? It means two things: IT can cover their asses and blame problems on Microsoft, and IT can keep using vulnerable software rather then upgrading when there's security issues. Using vulnerable software is convenient for IT, but a poor solution to keeping production running.

You theorize that IE is used because it's broke but version sta

Re:

[supremebob]

I hear ya.... I needed to scramble this morning to disable this warning message on two dozen kiosk systems, even though I configured Firefox to never check for plug-in updates.

Thank you once again for screwing up my production environments without any warning, Mozilla. I'm switching my kiosks over the Chrome, where the option for disabling plug-in checks actually works as promised.

Re:

[Nyder]

I think it's Enterprise that gives the middle finger to us users, really. Anyways, I don't think Mozilla makes firefox for the Enterprise (Star Trek, or business). I think it's for normal users, which is mostly what uses the web.

Anyways, Java doesn't sit on 1 version, it gets updated all the time, like any good software, so are you saying that Enterprise Users need to have old, outdated software that can be compromised to gain access to your computer? Sounds to me that isn't what the Enterprise needs.

Re:

[PlusFiveTroll]

Just wait till their internal website gets pwnt by a disgruntled employee and the network goes up like the Triangle Shirtwaist Factory.

Running exploitable software is Russian Roulette, one day the trigger is going to get pulled and it's going to blow your head off.

disable?

[X0563511]

I can't find any means to disable this in about:config.

I -HAVE- to have older versions of java installed on my workstation to replicate problems with old releases of our software.

Re:disable?

[Anonymous Coward]

https://wiki.mozilla.org/Extension_Blocklisting:User_Interface

Preferences for controlling the blocklist
The common user should not be allowed to override the automatic updating and application of the blocklist, but there are valid use cases for doing so.

The following preferences should be created to govern this behaviour:
        * extensions.blocklist.enable (boolean), toggles blocklist enabled on/off

Other applications or distributions may want to provide their own backlist update url which will be controlled by the following pref:
        * extensions.blocklist.url (string), url to the blocklist file

The interval in which the blocklist runs will be defined by the following pref:
        * extensions.blocklist.interval (integer), the interval in which to download a new blocklist file

These preferences should be documented on developer.mozilla.org and any announcements for developers about the blocklist functionality.

Re:

[oneandoneis2]

So keep an older version of Firefox installed to run older versions of Java with. Why would you want a cutting-edge browser to replicate legacy problems?

Re:

[X0563511]

Because the browser is not related, but the irritating block messages are.

Re:

[supremebob]

This plug-in block warning doesn't seem to be version specific. I've seen it happen on versions of Firefox as old as version 3.6.

what i would like to see in a downloader

[RobertLTux]

Personally i hate this trend of A bundling other "stuff" with a download B having the direct link to the payload TOP SECRET BURN BEFORE READING

All i ask for is a link to the complete actual program no "smart downloader" no bundled C4 and let me save the file so i can use it on another computer.

it's about time!

[tommeke100]

I'm getting a bit fed up paying a 100 euro fine because the Bundespolizei tells me they found illegal stuff on my computer!

Ubuntu/Debian users, do not tick this!

[David Gerard]

If you're using Ubuntu/Debian, you don't have to block IcedTea - per comments on their blog, it's the Debian version of IcedTea, and has been blocked in error [mozilla.com]. The IcedTea maintainer concurs [mozilla.org]. Hopefully Mozilla can re-enable it ...

Idiots

[TheRealGrogan]

Well then, people's applications fail and they say fuck Firefox. That's what such arrogance causes.

I did a new build of Chromium not long ago that refused to load a perfectly good libflashplayer.so because they decided it was too old. I don't have time for that shit. There might not have even been a newer x86_64 flashplayer available. It's not their job to force security. Load the plugin or fuck off. I find that offensive, so I just went back to my previous build (I tar up the old before replacing it). I wa

Re:

[subanark]

The codespace where an exploit can occur is limited to only a subsection of VM's code. It is not perfect, but it offers better protection than running C code, and more flexibility than non-scripting HTML does. The same concept is used when running code as non-root even if you do have sudo access.

Re:And there was me believing managed code was saf

[rudy_wayne]

that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited.

No software is perfect. No software will ever be perfect. Any non-trivial code will contain some bugs, but there's something seriously wrong here.

Software like Java, Flash and Acrobat Reader aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of resources. The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

It would be funny if it wasn't so stupid.

Re:And there was me believing managed code was saf

[Mister Whirly]

The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

I think this is addressed by your first statement-

No software is perfect.

But some bits of software are closer than others

[Anonymous Brave Guy]

Maybe no software is perfect, but some bits of software are a lot closer to perfect than others.

Much of this comes down to choice of tools. For example, if you're writing security-sensitive software in something like C or C++ in 2012 and the software in question isn't something very low-level like an OS kernel, you're probably making a mistake as far as security goes. The fact that much of the industry makes this mistake doesn't negate the preceding statement, it just means much of the industry is choosing

Re:

[Anomalyst]

[They] aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of highschool dropouts

FTFY

Re:

[TheRaven64]

Every so often, someone says to themselves 'software is complex, and therefore prone to bugs. Some of these are exploitable, giving security holes. I bet we can fix that by adding another layer of complex software.' The most surprising thing is that people actually believe them.

Re:And there was me believing managed code was saf

[Anonymous Brave Guy]

There are two ways of constructing a software design.

One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.

The first method is far more difficult.

C. A. R. Hoare, 1980 Turing Award lecture

Re:

[poetmatt]

Also makes me wonder what happens to bad legacy apps which rely on the older versions of java?

Re:

[Bigbutt]

That's my problem. I have older Dell hardware that requires a specific version of Java or we can't get console access. I have an old laptop that I use to maintain the older versions so I can still get that access.

[John]

Re:

[LordLimecat]

I believe you can override it on a per-page basis. Thats how chrome deals with it.

Re:

[jorgevillalobos]

This is a softblock, meaning that you can ignore it if you want to or need to.

Re:

[ifrag]

I spent all morning and much of the afternoon cleaning that crap up...

Usually it's faster to just use a system restore point. Typically these drive by mass attacks are not going to be smart enough to infect system backups. Although perhaps once enough of it starts running other pieces of malware start getting retrieved as well. I'd also immediately pull the ethernet cable if that nonsense starts up, then boot to safe mode.

Re:

[jorgevillalobos]

Plugin blocks apply to all versions of Firefox and they don't require you to update it. Firefox downloads the blocklist regularly to see if there are new add-ons or graphics drivers that need blocking.

Re:

[jorgevillalobos]

Yes. Unfortunately there's no alternative, so we must favor warning users. We haven't added the Mac OS X block yet, but we will probably do so soon. Like the Windows block, though, users, will have the option to keep the vulnerable plugin enabled.

Re:

[jorgevillalobos]

Apple released a Java update today, so everybody should be checking Software Update now, before we block on Mac.